6.2. Authentication using LDAP

To access the LDAP service, the LDAP client first must authenticate itself to
the service. That is, it must tell the LDAP server who is going to be accessing
the data so that the server can decide what the client is allowed to see and
do. If the client authenticates successfully to the LDAP server, then when the
server subsequently receives a request from the client, it will check whether
the client is allowed to perform the request. This process is called access
control.

In LDAP, authentication is supplied in the "bind" operation. Ldapv3 supports
three types of authentication: anonymous, simple and SASL authentication. A
client that sends a LDAP request without doing a "bind" is treated as an
anonymous client. Simple authentication consists of sending the LDAP server the
fully qualified DN of the client (user) and the client's clear-text password.
This mechanism has security problems because the password can be read from the
network. To avoid exposing the password in this way, you can use the simple
authentication mechanism within an encrypted channel (such as SSL), provided
that this is supported by the LDAP server.

Finally, SASL is the Simple Authentication and Security Layer (RFC 2222). It
specifies a challenge-response protocol in which data is exchanged between the
client and the server for the purposes of authentication and establishment of a
security layer on which to carry out subsequent communication. By using SASL,
LDAP can support any type of authentication agreed upon by the LDAP client and
server.
The Cyrus-SASL package is available at the following URL: http://asg.web.cmu.edu/sasl/sasl-library.html.

Further on authenticating users to access information from your Directory Tree,
your LDAP server can authenticate users from other services too (Sendmail,
Login, Ftp, etc.). This is accomplished migrating specific user information to
your LDAP server and using a mechanism called PAM (Pluggable Authentication
Module). The authentication module for LDAP is available as a tar ball on the following
address:
http://www.padl.com/OSS/pam_ldap.html